Safe and secure cloud access with Hybrid Active Directory

Posted on Thursday, May 11, 2017
Get in touch
By Jack Lewis
Microsoft Technical Consultant


More News

Getting larger organisations to the cloud

The past few years have seen a surge in the use of cloud-based applications such as Office 365. However, until recently the uptake amongst larger enterprises has been slower. Apprehensive about security and data sharing, large organisations have too much at stake to play fast and loose with passwords and their corporate data. However, cloud-based applications can offer significant opportunities for operational efficiency, cost saving, simplification, scale, reduction of geographical boundaries and an injection of pace. It is high time for that situation to change, and thankfully it has. So now is the time for large enterprise organisations to take a fresh look at cloud security.

The current position

For on-premises applications that are integrated with Active Directory, your people simply log in once using their Active Directory password and they are ready to go. The introduction of cloud-based applications changes things a little, with users often being asked to log in each time an application is launched, using a variety of different user credentials.

There is a better way of providing your people with simple and secure access to their cloud applications, and that process starts by considering these three areas:

1. Is your organisation willing to ask users to remember another username and password to access cloud services?

The answer is almost certainly no. We're forever being told not to write down passwords, PINs and other security information, and this definitely falls into that category. Which means an increase in calls to the IT service desk and a high number of password resets and wasted time.

2. Are you comfortable with sharing passwords outside of your organisation, even with trusted providers such as Microsoft, Amazon or Google?

Again, the answer is probably no. Organisations are worried about cyber security and network attacks, so a release of data to any external organisation will undoubtedly be a concern.

3. Do you want users to log in to each application individually, each time they want to access them?

Almost certainly not. A happy user is a productive user, and continuously prompting them for credentials will only increase frustration. Implementing a single-sign-on (SSO) solution removes the need for users to keep entering credentials and reduces the likelihood of password resets clogging up the service desk. Don't forget, too, that if you have separate passwords for these services, they can remain a security risk even after someone has left the company and had their AD account deleted!

What's the solution?

These concerns can be addressed by introducing an enterprise-ready Hybrid Active Directory implementation to facilitate a secure login. There are three core components for a successful Hybrid Active Directory implementation:

  1. The alignment of the User Principle Name (UPN) attribute to each user email address
  2. The implementation of an identity synchronisation tool (for example, Azure AD Connect)
  3. The implementation of an on-premises federation service (for example, Active Directory Federation Services) to control authentication from the on-premises data centre.

How do you get there?

To successfully implement a Hybrid Active Directory solution, there are three things that an organisation needs to put in place.

1. In the on-premises Active Directory, identities need to align their UPN attribute to their primary email address. This is because cloud applications will typically ask users to authenticate with their email address, as this is a globally unique attribute.

2. Once identities have their UPN attribute aligned, a synchronisation technology needs to be utilised to send identities, group and computer information, and their associated attributes, from your on-premises Active Directory to a federation provider (for example, Azure Active Directory). Organisations retain full control over which attributes are sent during the synchronisation, and typically only a subsection of attributes would be sent.

3. After identity synchronisation has been completed, identities and their associated attributes will exist in the federation provider. At this point, you will need to decide where authentications will take place; either on-premises or in the cloud. Some organisations will want to complete all authentications on-premises, as this provides additional levels of control and SSO without the need to send passwords externally. Others, without an on-premises Active Directory and need for such control, will complete authentication in the cloud, which limits your SSO capabilities and requires you to store passwords with the federation provider.

So there you have it. With the implementation of a fit-for-purpose Hybrid AD solution, all authentications can now be completed on-premises, regardless of where the application resides. No passwords are shared externally, users have a single set of credentials to remember and are only prompted to log in once.

Additional security controls, such as multi-factor authentication (MFA) or device certificate authentication can then be introduced into the authentication flow, further improving your security position.

Speak to a specialist about Hybrid AD

This is a fantastic way of gaining secure access to the cloud and all the services it offers. Here at Softcat, we've got the perfect model to help implement your set up. We'd love to help guide you through, simply give your Softcat account manager a call or get in touch using the button below. 

Get in touch
Comments

We would love to hear any comments you have about this article!